<p>When a cookie is protected with the <code>secure</code> attribute set to <em>true</em> it will not be send by the browser over an unencrypted HTTP
request and thus cannot be observed by an unauthorized person during a man-in-the-middle attack.</p>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> the cookie is for instance a <em>session-cookie</em> not designed to be sent over non-HTTPS communication. </li>
  <li> it’s not sure that the website contains <a href="https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content">mixed content</a> or not
  (ie HTTPS everywhere or not) </li>
</ul>
<p>There is a risk if you answered yes to any of those questions.</p>
<h2>Recommended Secure Coding Practices</h2>
<ul>
  <li> It is recommended to use <code>HTTPs</code> everywhere so setting the <code>secure</code> flag to <em>true</em> should be the default behaviour
  when creating cookies. </li>
  <li> Set the <code>secure</code> flag to <em>true</em> for session-cookies. </li>
</ul>
<h2>Sensitive Code Example</h2>
<p><a href="https://www.npmjs.com/package/cookie-session">cookie-session</a> module:</p>
<pre>
let session = cookieSession({
  secure: false,// Sensitive
});  // Sensitive
</pre>
<p><a href="https://www.npmjs.com/package/express-session">express-session</a> module:</p>
<pre>
const express = require('express');
const session = require('express-session');

let app = express();
app.use(session({
  cookie:
  {
    secure: false // Sensitive
  }
}));
</pre>
<p><a href="https://www.npmjs.com/package/cookies">cookies</a> module:</p>
<pre>
let cookies = new Cookies(req, res, { keys: keys });

cookies.set('LastVisit', new Date().toISOString(), {
  secure: false // Sensitive
}); // Sensitive
</pre>
<p><a href="https://www.npmjs.com/package/csurf">csurf</a> module:</p>
<pre>
const cookieParser = require('cookie-parser');
const csrf = require('csurf');
const express = require('express');

let csrfProtection = csrf({ cookie: { secure: false }}); // Sensitive
</pre>
<h2>Compliant Solution</h2>
<p><a href="https://www.npmjs.com/package/cookie-session">cookie-session</a> module:</p>
<pre>
let session = cookieSession({
  secure: true,// Compliant
});  // Compliant
</pre>
<p><a href="https://www.npmjs.com/package/express-session">express-session</a> module:</p>
<pre>
const express = require('express');
const session = require('express-session');

let app = express();
app.use(session({
  cookie:
  {
    secure: true // Compliant
  }
}));
</pre>
<p><a href="https://www.npmjs.com/package/cookies">cookies</a> module:</p>
<pre>
let cookies = new Cookies(req, res, { keys: keys });

cookies.set('LastVisit', new Date().toISOString(), {
  secure: true // Compliant
}); // Compliant
</pre>
<p><a href="https://www.npmjs.com/package/csurf">csurf</a> module:</p>
<pre>
const cookieParser = require('cookie-parser');
const csrf = require('csurf');
const express = require('express');

let csrfProtection = csrf({ cookie: { secure: true }}); // Compliant
</pre>
<h2>See</h2>
<ul>
  <li> OWASP - <a href="https://owasp.org/Top10/A04_2021-Insecure_Design/">Top 10 2021 Category A4 - Insecure Design</a> </li>
  <li> OWASP - <a href="https://owasp.org/Top10/A05_2021-Security_Misconfiguration/">Top 10 2021 Category A5 - Security Misconfiguration</a> </li>
  <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure">Top 10 2017 Category A3 - Sensitive Data
  Exposure</a> </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/311">CWE-311 - Missing Encryption of Sensitive Data</a> </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/315">CWE-315 - Cleartext Storage of Sensitive Information in a Cookie</a> </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/614">CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute</a> </li>
  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222576">Application Security and
  Development: V-222576</a> - The application must set the secure flag on session cookies. </li>
</ul>
